Struts 2.0.10 corrects a serious security flaw in the Struts 2 tags where using JSP EL expressions could allow malicious OGNL expressions through. All users are encouraged to update to Struts 2.0.10. Note that existing pages that utilize JSP EL expressions with Struts 2 tags will no longer work as of this release.

API changes

The org.apache.struts2.components.Component.determineActionURL signature has changed: now it has two more parameters. Extension developers are invited to modify their code accordingly.

Experimental Features and Plugins

Please help us test these brave new features. Feedback appreciated!

Java 1.4 support: We are backporting the core Struts and XWork JARs, and, as a courtesy, bundling them with the distribution. However, Struts 2 is being coded for Java 5 and backward compatibility is not assured.